“Non-invasive attacks” which attack targets without destruction are known as attacking techniques for acquiring secret information stored in attack targets. The “Non-invasive attacks” include a “fault attack” which malfunctions an attack target to acquire data pertaining to secret information from the attack target and a “side channel attack” including Differential Power Analysis (DPA) or Differential Electro-Magnetic Analysis (DEMA) which estimates the secret information of an attack target by measuring the power consumption or leakage electromagnetic waves obtained during execution of encryption and performs statistical analysis between the measurement data and operation data estimated by an attacker.
In a side channel attack, an attacker needs to have an input data value, an output data value, and cryptographic algorithm knowledge of an attack target. This is because data during the operation of the attack target needs to be estimated in the attack procedure of the side channel attack.
More specifically, the attacker estimates the key data and then the data during the operation of the target is obtained from the input data and the cryptographic algorithm information using the estimated key data. A correlation between the estimated operation data and the measured power consumption or leakage electromagnetic waves is calculated. It is then determined whether the correlation between the estimated operation data and the measured power consumption or leakage electromagnetic waves is established. If the correlation is established between them, the secret information has been correctly estimated, and the attack by the attacker is successful.
As described above, for the side channel attack, when it is possible to estimate correctly the data during the operation of the attack target and the estimated operation data has a correlation with the measurement data of the attack target, the attack is successful.
It is therefore effective for a side channel attack to take a countermeasure for disabling an attacker to estimate data during the operation. Paying attention to this countermeasure, there are proposed several countermeasure methods for the side channel attacks. One of them is a data mask method. The data mask method is a method of masking data during the operation by using a value (e.g., a random number) which is unknown to the attacker in order to mask the data during the cryptographic operation of an apparatus as an attack target to a value which cannot be estimated by the attacker. In the countermeasure using the data mask method, since the data during the operation as the attack target is masked using a random number, the attacker cannot correctly estimate the data during the operation unless the attacker knows the mask data value. Even if the attacker measures the power consumption or leakage electromagnetic waves and try to obtain the correlation between the measurement data and the data during the operation estimated by the attacker, the measurement data does not have any correlation with the estimated operation data because the data during the cryptographic operation of the attack target is masked with the random number. Therefore, the attack is unsuccessful.
For example, Tomohisa Wada, “SubBytes Transformation circuit Design Specification for Common Key Cryptography AES”, Design Wave Magazine 2003 November, pp. 151-155 (available at www.cqpub.co.jp/dwm/contents/0072/dwm007201511.pdf) (reference[1]) discloses an operation circuit as an a block cipher algorithm AES (Advanced Encryption Standard) operation circuit, the specifications of which are defined in FIPS (Federal Information Processing Standards 197). This circuit integrates a SubBytes operation circuit is used for encryption and an InvSubBytes operation circuit is used for decryption. These circuits are selectively performed the SubBytes operation and the InvSubBytes operation. Therefore this makes it possible to reduce the logic circuit when the circuit is implemented by hardware. In the operation circuit disclosed in reference[1], however, no consideration is made for the side channel attacks.
No consideration has been made for countermeasures for reduction of a logic circuit and countermeasures for side channel attacks in conventional operation circuits including nonlinear operations.